Creating Custom Httphandler In Web.config: Am I At Risk Of Exposing A 'Padding Oracle' Vulnerability?

Oct 29, 2010

Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?

Asked in another way... what did MSFT do wrong and what did they fix in their handlers?

View 2 Replies

Similar Messages:

Invalid Viewstate Since Oracle Padding Vulnerability Security Patch

Sep 29, 2010

Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.

The errors logged on the server are

System.Web.UI.ViewStateException: Invalid viewstate.
Client IP:
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl

With custom errors switched off a user sees the following information

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: [ViewStateException: Invalid viewstate.
Client IP:
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Path: /]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90

to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.

View 3 Replies

C# - Creating And Exposing Web Service In MVC 2

Feb 20, 2011

I've looked around for some tutorials, but everything I see is how to use REST services with my app. But that's not really what I need, I'm not doing basic GET requests, the end user needs to do some complicated calculations with several classes and variables from my web service.

In a Web Forms app, I would just add a Web Services solution and do everything in there. Is that the recommended solution for an MVC app?

View 2 Replies

Creating/Exposing WCF Services From An Existing Application?

Feb 24, 2011

We need to expose some services (i.e. AddressValidatorService, CustomerFinderService) that currently reside in an ASP.NET application to other applications within our organization. Exposing these services via WCF seems like a natural fit, but I don't see any best-practices for how to pull these common services into a WCF wrapper in such a way that my existing ASP.NET application can continue to use them with minimal code changes and/or awareness that the service they are consuming is no longer in-process. I'm especially looking for recommendations on how to structure the existing ASP.NET solution and whether to host our new WCF in the same solution or in some new shared WCF solution referenced by both our ASP.NET application and external callers.Also, is it bad practice to simply promote the DTOs currently only consumed in-process via ASP.NET to full fledged data contracts or is it preferable to create duplicate DTOs that are explicitly decorated with [DataContract]?

View 3 Replies

Adding MachineKey To Web.config On Web-farm Sites / Padding Is Invalid And Cannot Be Removed

Oct 4, 2010

We (out IT partner really) recently changed some DNS for a web farmed site we have so that the two production server have round-robin DNS switching between the two. Prior to this switch we didn't really have problems with WebResource.axd files. Since the switch, when we hit the live public URL, we get an error:


Padding is invalid and cannot be removed.

When we hit the specific servers themselves, they load fine. I've researched the issue and it seems since they're sharing assets between two servers, we need to have a consistent machineKey in the web.config for each server so they can encrypt and decrypt consistently between the two. My questions are:

Can I generate a machineKey via a tool on the server, or do I need to write code to do this?

Do I just need to add the machineKey to the web.config on each server or do you think I'll need to do anything else to make the two server work together? (Both web.config's currently do not have a machineKey)

View 2 Replies

Set Padding - Left To Custom Textbox In Css?

Jun 27, 2010

How to set padding-left to my custom textbox in css?

View 1 Replies

Configuration :: HttpHandler Two Web.config

Apr 1, 2010

I have an website in IIS 6.0 (windows 2003). Inside that I had configured another application (As IIS Application).

Now, When I uncommend a "add verb" tag in main web.config file, the webservice inside the application throws "404 file not found exception" Is there anything which I need to update in child web.config?

View 1 Replies

Convert Httphandler-text In Web.config From ASP.NET 3.5 To ASP.NET 4.0 Iis 7.5

Jul 17, 2010

I have the following text in web.config file in ASP.NET 3.5:

<add verb="*" path="CaptchaImage.aspx" type="AspCaptcha.CaptchaHandler, AspCaptcha"/>

View 1 Replies

C# - Dynamically Register An HttpHandler In Code (not In Web.config)

Mar 23, 2010

Is there a way I can dynamically register an IHttpHandler in C# code, instead of having to manually add it to the system.web/httpHandlers section in the web.config.

This may sound crazy, but I have good reason for doing this. I'm building a WidgetLibrary that a website owner can use just by dropping a .dll file into their bin directory, and want to support this with minimal configuration to the web.config.

View 2 Replies

How To Add An HttpHandler For Image Extensions That Depending Whether A Variable In The Web.config

Mar 27, 2010

I am in the process of moving all of the images in my web application over to a CDN but I want to easily be able to switch the CDN on or off without having to hard code the path to the images. My first thought was to add an HttpHandler for image extensions that depending whether a variable in the web.config (something like ) will serve the image from the server or from the CDN. But after giving this a little though I think I've essentially ruled this out as it will cause ASP.NET to handle the request for every single image, thus adding overhead, and it might actually completely mitigate the benefits of using a CDN.

An alternative approach is, since all of my pages inherit from a base page class, I could create a function in the base class that determines what path to serve the files from based off the web.config variable. I would then do something like this in the markup:

<img src='<%= GetImagePath()/image.png' />

I think this is probably what I'll have to end up doing, but it seems a little clunky to me. I also envision problems with the old .NET error of not being able to modify the control collection because of the "<%=" though the "<%#" solution will probably work.

View 8 Replies

C# - Using Custom Httphandler From A Custom Assembly?

Feb 18, 2011

Is it possible to register a custom httphandler in a stand alone assembly? I'm writing a control toolkit that uses httphandlers to perform AJAX and I would like to make the use of the toolkit as low friction for the web developers as possible. There will be quite a few handlers and I dont want the developer to have to register them all in the web.config.

View 2 Replies

How To Rewrite A Path Using A Custom HttpHandler

Apr 14, 2010

I'm writing a multi-tenant app that will receive requests like and I want the requests to actually map to the folder location /content/tenant1/images/logo.gif and /content/anothertenant/images/logo.gif

I'm using Mvc 2 so I'm sure there's probably a way to setup a route to handle this or a custom route handler?

View 2 Replies

C# - Selecting HttpHandler From Custom HttpModule?

Feb 17, 2011

I have an HttpModule and I'd like to choose the HttpHandler for the current request, is that possible? Also web.config is not an option because the condition is not based on path or extension. My googling skills have failed me, no matter what keywords I use all the results are "IHttpHandler vs IHttpModule".

View 3 Replies

Databases :: Creating Connection To Oracle?

Sep 1, 2010

I am currently working on the connection between ASP.NET and Oracle. I tried to search over the net and know there are many ways. Is there any 'normal practice' on which method to be used? Or it depends?

View 1 Replies

Developed A 3.5 X64 Web Application That Includes A Custom HttpHandler?

Mar 22, 2011

I developed a .Net 3.5 x64 web application that includes a custom HttpHandler in the config:

<add path="*.class1" verb="GET" type="ClassLibrary1.Class1Handler"/>

This works when the platform target for ClassLibrary1 is set at x86.
However, when I set this to x64 I get the following error when I run web application starts (it compiles just fine): Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. Parser Error Message: Could not load file or assembly 'ClassLibrary1, Version=, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An attempt was made to load a program with an incorrect format.

Does this mean that a HttpHandler can be compiled at x86 only?That doesn't make much sense to me.Does anyone have an idea of what could be going on?Edit 1:The ClassLibrary1 project is just an empty class library project with a single HttpHandler added (which is also empty).Edit 2:I am also getting these warning messages when compiling, I am pretty sure they have something to do with this problem: Assembly generation -- Referenced assembly 'mscorlib.dll' targets a different processor HttpTestEdit 3:I manually edited the project file to force references to the x64 assemblies, like this:

<Reference Include="$(Windir)Microsoft.NETFramework64v2.0.50727System.dll"/>

This does supress the above warning message, but the problem isn't resolved.

View 2 Replies

Trying To Get Custom HttpHandler Working In Sample Web Application?

Aug 29, 2010

I'm trying to get custom HttpHandler working in my sample web application. I've been experiencing a lot of issues, but finally got stuck with error 500. Application pool is being run in Classic ASP.NET 2.0 mode. Server is IIS 7.5, OS is Win 7 Pro.

Here's a code of my handler:


View 1 Replies

C# - How To Handle Null Return From Custom HttpHandler

Jun 8, 2010

I'm using a custom ashx HttpHandler to retrieve gif images from a database and show it on a website - when the image exists, it works great.

However, there are cases when the image will not exist, and I'd like to have the html table holding the image to become invisible so the "image not found" icon is not shown.


View 4 Replies

.net - Custom HttpHandler To Block Downloads Of .wmv Files?

Jan 4, 2010

I create a custom http handler to block download of .wmv files e.g. (blocked by httpHandler).

But the problem is that now silverlight cannot also stream these video files as they are blocked too.

View 1 Replies

Security :: Custom HttpHandler To Block .wmv Files?

Jan 4, 2010

On my website,, I create screencasts to which are streamed through silverlight.

I create a custom handler to block the download of .wmv files from the url like [URL]

But the problem is now the silverlight has also stopped streaming files.

View 1 Replies

Databases :: Config When Accessing Oracle?

Feb 1, 2010

VB.NET 2.0, windows forms applications. I have two applications, A and B. A accesses a remote Oracle database already, B needs to access a different database, but also Oracle, from the same outside source.So, I thought it would be easy; copy code to connect, change the query, and off we go. But I keep getting the old ORA-12154 error that it can't resolve the connect identifier.First, I developed the query usng sql plus connecting to the target database. So, I know the machine has appropriate entries in tnsnames.ora.Second, I cut-and-pasted the block of code from B into A and gave A a test. It successfully connects and runs the query. So, I know that the data source, user id, password and sql are o.k.Third, I looked in the registry (HKEY_LOCAL_MACHINESOFTWAREOracle) and found the all ORACLE_HOME paths that were set up. Went down all those paths to insure the tnsnames file had my new connection defined.Fourth, I'm able to find the database B is trying to get to via tnsping from the command prompt.Fifth, I copied the connection string from A to B, just to see if it could connect to the database A is known to connect to. Same exception.So, everything connects everywhere except B, who cannot get to Oracle at all. I just can't find what's telling B to use a different tnsnames file (maybe?).Missing something obvious, no doubt.[Edit]I realized overnight I hadn't shown how I was connecting. (The exception is thrown trying to open the connection.) Pretty simple:



View 2 Replies

SQL Reporting :: Creating A Data Source To Oracle?

Feb 11, 2010

I'm stumped after a few days of searching and trying to create a Data Source to Oracle for a report under Visual Studio 2005. I followed the guide at


I am able to connect through the Server Explorer to our Oracle database using both .NET Framwork Data Provider for Oracle and Oracle Data Provider for .NET. I can execute queries on both of these and retrieve data.

The problems start when I try to create a data source under the Solution Explorer. I have created a Business Intelligence project on my local computer.

Data Source Wizard Select Create a data source based on an existing or new connection. Click New... Here the Provider is disabled and it appears defaulted to SqlClient Data Provider. All I can do is connect to a MSSQL server.

How can I connect to an Oracle database here?

View 5 Replies

HttpHandlers / Modules :: Custom HttpHandler Generally Fails

Jun 22, 2010

I'm trying to secure my web application so XML files it contains can't be downloaded. I thought it would be as simple as adding these to the "httpHandlers" section of web.config:

<remove verb="*" path="*.xml"/>
<add verb="*" path="*.xml" type="System.Web.HttpForbiddenHandler"/>

This failed - the XML files could still be downloaded easily. I tried different browsers in case they were caching, but everything could download the XML files without any trouble. I thought this might be due to some special handling of XML, so I tried mocking up an alternative based on ".txt123" files. I added this file with some dummy content:


View 1 Replies

HttpHandlers / Modules :: How To Pass Custom Information To Our HTTPHandler

Mar 8, 2011

We have a handler to deal with .dat files.. everything is already setup and server is acknowledging the file type and doing its thing to handle it..

But the handler requires 1 bit of information along with the HTTP request which is a physical file path.. the file name it knows based on the file we call , but how can i pass a custom header along with the request so that the handler will use that when the request is made?

Basically when on our player.aspx page, i will have a button, when you click that button a request is made to the .dat file, but along with that request i need to send the physical file path.. how can i do that?

View 3 Replies

Custom Server Controls :: Hide A Method While Creating Custom Control By Inheriting WebControl?

Nov 29, 2010

I am creating a custom control by inheriting a server control, say LinkButton. There are properties like "BorderColor" available in LinkButton. Let's say, I don't want this particular property to be available when I create an instance of the custom control.

I want to completely hide this particular property (I don't want to override it but disable it.)

My code is as follows:


View 3 Replies

IIS Configuration :: Adding Add Section In HttpHandler Section In Web Config Results In Blank Page?

Jul 12, 2013

with this code website works perfect


but when I add

<add path="ThumbHandler.ashx" verb="*" type="Delshad.WebControls.ThumbHandler,Delshad.ThumbPic"/>


<add verb="GET" path="CaptchaImage.axd"
type="MSCaptcha.CaptchaImageHandler, MSCaptcha" />

in httphandlers section when I go in my site it is only a blank page!

before In other two host there wasent problem but this is a new host and I face with this problem.also in local there isn't any problem.

View 1 Replies

Copyrights 2005-15, All rights reserved